3Com Router Authentication Bypass

2009-02-09T00:00:00
ID PACKETSTORM:74802
Type packetstorm
Reporter Luca Carettoni
Modified 2009-02-09T00:00:00

Description

                                        
                                            `====================================================   
Security Research Advisory  
  
Vulnerability name:  
"3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass"  
Advisory number: LC-2008-05  
Advisory URL: http://www.ikkisoft.com  
  
====================================================   
1) Affected Hardware/Software   
  
* 3CRWE554G72   
(Hardware version: 3COM_AP51_v01, Software version: 1.2.0 - Nov 14,2006)  
  
Product URL:   
http://www.3com.com/products/en_US/detail.jsp?tab=features&sku=3CRWE554G72&pathtype=support  
  
Other recent versions, as well as similar 3Com devices, may be affected   
due to the shared firmware code base.  
  
====================================================  
2) Severity   
  
Severity: Medium  
Local/Remote: Remote  
  
====================================================   
3) Summary  
  
"The 3Com OfficeConnect Wireless Cable/DSL Router is a high-speed, affordable,   
and easy-to-use small office solution that lets wireless and wired PCs and   
laptops securely share a single broadband Internet connection."   
  
This device is very common due to the affordable price and versatility.   
For these reasons it is widely installed by large telecom providers in all Europe  
(e.g. In Poland, Orange is currently deploying this device for its residential DSL).   
  
This device is prone to an authentication bypass vulnerability which permits   
to retrieve the complete system configuration as well as the services   
credentials (e.g. web console, wifi network).  
  
====================================================  
4) Vulnerability Details  
  
The 3Com OfficeConnect Wireless Cable/DSL Router suffers an authentication   
bypass vulnerability due to an improper authentication/authorization mechanism.  
  
In order to manage the device, an easy to use web console is enabled by default   
from the internal network and (optionally) from the Internet.   
Even if the http daemon does not permit to access HTML pages and the web console   
without authentication, it is still possible to invoke and execute   
existent CGI programs. Unfortunately, the "System Tools-->Configuration-->Backup   
Configuration" functionality saves the actual system configuration in a   
persistent plain-text file named "config.bin" using a custom CGI program.   
An unauthenticated user may directly invoke the "SaveCfgFile" CGI program and   
easily download the system configuration containing configuration information,   
users, passwords, wifi keys and other sensitive information.  
  
Note: if the "Remote Administration" option is enabled, this vulnerability may   
be exploited from the Internet as well.  
  
Example of sensitive content within the "config.bin" file:  
[...]  
pppoe_username=xxxxxxxxxxxxxxx  
pppoe_password=xxxxxxxxx  
pppoe_service_name=xxxxxxxxx  
[...]  
mradius_username=xxxxxx  
mradius_password=xxxxxx  
mradius_secret=xxxxxxx  
[...]  
http_username=xxxxx  
login_password=xxxxx  
http_passwd=xxxxx  
[...]  
AuthName=xxxxxxx  
AuthPassword=xxxx  
snmpStatus=xxxxxxx  
snmpRoCommunity=xxxxxxxx  
snmpRwCommunity=xxxxxxxx  
[...]  
multi_dmz_wan_ip1=xxxxxxxxxx  
[...]  
lan_macaddr=xxxxxxxxxxxxx  
[...]  
  
Later on, looking for similar vulnerabilities in the Bugtraq database,   
I've found a similar finding discovered by Patrik, cqure.net   
(iDEFENSE Security Advisory 01.20.05). As far as I know and I can understand   
from the firmware versions reported, this issue seems to be a further   
authentication bypass technique due to an insufficient patch supplied   
by the vendor.   
  
====================================================   
5) Exploit   
  
Attackers may exploit this flaw through a common web browser.  
  
http://<IP>/SaveCfgFile.cgi  
  
====================================================   
6) Fix Information   
  
To reduce the overall exploitability, disable the "Remote Administration"   
option. However, a firmware update is required in order to resolve this issue.  
  
====================================================   
7) Time Table   
  
08/12/2008 - Vendor notified via "3Com Vulnerability Disclosure Form"  
??/??/???? - Vendor response.  
??/??/???? - Vendor patch release.  
09/02/2009 - Public disclosure.  
  
====================================================   
8) Credits   
  
Discovered by Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com  
  
====================================================   
9) Legal Notices  
  
The information in the advisory is believed to be accurate at the time of  
publishing based on currently available information.   
This information is provided as-is, as a free service to the community.   
There are no warranties with regard to this information.  
The author does not accept any liability for any direct, indirect,  
or consequential loss or damage arising from use of, or reliance on,  
this information.  
Permission is hereby granted for the redistribution of this alert, provided   
that the content is not altered in any way, except reformatting, and that due   
credit is given.  
  
This vulnerability has been disclosed in accordance with the RFP   
Full-Disclosure Policy v2.0, available at:  
http://www.wiretrip.net/rfp/policy.html  
  
====================================================  
`